CVE-2022-35942: 
JavaScript vulnerability analysis and mitigation

CVE-2022-35942 is a critical SQL injection vulnerability discovered in the LoopBack PostgreSQL connector. The vulnerability stems from improper input validation on the contains LoopBack filter, which could allow attackers to perform arbitrary SQL injection attacks. The issue affects versions prior to 5.5.1 and was patched in version 5.5.1 (GitHub Advisory).

The vulnerability occurs when the extended filter property contains is permitted to be interpreted by the Postgres connector. The issue manifests when any of the following conditions are met: connecting to the database via DataSource with allowExtendedProperties: true, using the connector's CRUD methods directly, or using the connector's other methods to interpret the LoopBack filter. The vulnerability has received a CVSS v3.1 base score of 10.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) from NVD, indicating its severe nature (NVD).

If exploited, this vulnerability could affect both the confidentiality and integrity of data stored in the connected database. The critical CVSS score indicates that successful exploitation could lead to complete compromise of the affected system's confidentiality, integrity, and availability (GitHub Advisory).

Users are advised to upgrade to version 5.5.1 or later which contains the patch. For those unable to upgrade immediately, several workarounds are available: remove the allowExtendedProperties: true DataSource setting, add allowExtendedProperties: false DataSource setting, or manually sanitize user input for the contains LoopBack filter when passing directly to connector functions (GitHub Advisory).